CVE-2026-12490

Summary

When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.

Affected Software

VendorProductVersion RangeStatus
NLnet LabsNSD4.10.1 < 4.14.3affected

Weaknesses

  • CWE-306: CWE-306: Missing Authentication for Critical Function
  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References